Meta tries to keep denying EU users a free choice over tracking -- but change is coming
After major privacy enforcement finally hit Meta's tracking ads business in Europe earlier this year, the tech giant has confirmed it will be changing the legal basis it claims for microtargeting users in the region.
It's still not going to ask people for their up-front consent to its data-fuelled behavioral advertising. But it will have to offer users in the European Union an opt-out if they choose to exercise their right to object -- which is a first.
Back in January, Meta was fined around $410M after it found to have breached the EU's General Data Protection Regulation (GDPR) by lacking a valid lawful basis for behavioral advertising and violating the regulation's transparency and fairness principles -- and given three months to get its house in order.
Now, in an update to its earlier blog post about the enforcement, Meta writes that -- from April 5 -- it will claim a "legitimate interests" (LI) basis for processing EU people's information to target them with advertising.
Legitimate interests is one of six possible legal bases for processing personal data under the EU's GDPR. Although at least half of the available legal bases simply aren't relevant -- given the nature of Meta's commercial empire which is not in the business of offering life-saving, public interest-based or legally required services.
The tech giant had been claiming another one of the six to run tracking and profiling-based behavioral advertising -- contractual necessity -- but EU regulators found that to be unlawful.
Meta disputes that finding -- and is appealing the enforcement -- but a regulator-imposed three-month deadline to fix its GDPR compliance is looming early next month so it needs to do something to reset its claim of compliance in the meanwhile, i.e. while its army of lawyers try to figure out how to push water uphill.
In its blog update about the upcoming switch, Meta wrote:
In December, the Irish Data Protection Commission found that Facebook and Instagram must change their approach to the legal basis under GDPR for the purpose of serving behavioural advertisements in Europe. To comply, from Wednesday 5 April we are changing the legal basis that we use to process certain first party data in Europe from ‘Contractual Necessity’ to ‘Legitimate Interests’. GDPR clearly states that there is no hierarchy between legal bases, and none should be considered more valid than any other.
We believe that our previous approach was compliant under GDPR, and our appeal on both the substance of the rulings and the fines continues. However, this change ensures that we comply with the DPC’s decision.
Many EU data protection experts, however, take the view that Meta can't rely on LI for the tracking and profiling that underpins its behavioral ads business -- and will, ultimately, have to ask users for consent in order to be compliant with EU privacy laws (which include the older ePrivacy Directive, as well as the GDPR).
One problem with Meta trying to rely on LI for a mass surveillance behavioral ads business is that this legal ground is supposed to be used for processing that's strictly necessary (i.e. it can't be done in a less intrusive way, such as -- for instance -- doing contextual ad-targeting, rather than personal data-derived microtargeting).
Data processors must also weigh individuals' rights and interests in a balancing tests (in this case to privacy and not being tracked). And any LI balancing test for Meta's surveillance ads business would have to do some serious gymnastics to try to claim the mass scale privacy intrusion of its commercial microtargeting outweighs EU citizens' fundament right to privacy.
While the ePrivacy Directive doesn't allow LI to be used for ad tracking; unless the cookies are "strictly necessary" the required standard is consent.
So the 'something' Meta is being forced to do here does not look like it's going to fix the core legal problem it's finally facing in the EU now that privacy enforcement is starting to bite.
Following the first reports of Meta's planned shift to LI, which was reported by the WSJ, noyb, the privacy rights campaign group behind the original "forced consent" GDPR complaints against Facebook, Instagram and WhatsApp all the way back in May 2018, warned it will be taking "immanent" action in response to what it described as a new "illegal practice" by the tech giant.
noyb isn't specifying exactly what kind of action it will be taking. But, in a statement, its founder and chair Max Schrems said: "Meta is switching one illegal practice for another illegal practice. noyb will take immanent legal action to stop this charade, as it is clear that the Irish regulator of Meta will again be inactive. This is an absurd game and we will stop it as quickly as possible. Like any other company, Meta needs to have a clear yes/no option for users, where they must actively say yes if they want to give up their fundamental rights."
"While some still argue that advertisment would override the fundamental rights of users, this is a minority view. We are not aware of anyone arguing that profiling and tracking at the scale of Meta just to get some ad clicks would fulfil that test. This system of using legitimate interest at least allows for opt-out, which makes it a slight improvement for users," Schrems added.
One key consideration here is the time between the first GDPR complaints filed over Facebook's creepy ads and the final decisions from its lead EU data protection authority, the Irish Data Protection Commission (DPC) -- which took more than four years -- during which period Facebook/Meta got to continue the lucrative (yet unlawful) business of tracking, profiling and monetizing Europeans' eyeballs, racking in far more in profits that it's being asked to hand over in fines.
This means -- if you abandon morality and ethics -- simple maths favor lawbreaking. And, following that mercantile logic, Meta's 'compliance strategy', if we can call it that, appears to hinge on hopping from one dubious claim of compliance to the next to buy itself another rack of years so it can keep making money by exploiting people's privacy while EU regulatory bodies try to keep up and/or squabble amongst themselves.
That's been the usual game of regulatory 'whack-a-mole' to-date. However there's reason to believe this approach is running out of road.
First off, Meta is facing other GDPR complaints and enforcements -- such as a major decision over the suspension of its EU-US data flows. And as more of these decisions land and create precedent there's arguably shrinking wiggle room for it to find routes to circumvent privacy requirements. The rules are just getting more baked in.
Secondly, TikTok very recently tried to pull off a switch from consent to LI -- and was almost immediately jumped on by a number of EU regulators, warning the step would not be compliant, which quickly led it to drop the plan.
So while Meta is seeking to hop from a (bogus) claim of contractual necessity to a (dubious, at best) claim of LI -- before which it also apparently relied upon a faux claim of consent, since it was not actually providing users with a free choice over its tracking which the GDPR requires for consent to be a valid basis -- it's hard to see how it can do something EU regulators literally just blasted TikTok, another ad-driven social network, when it tried doing that.
And on the GDPR front, if the Irish DPC opts to look the other way on this compliance switcheroo despite its earlier engagement with TikTok over a similar move, it risks looking like it's unfairly favoring Meta against rivals it oversees -- which could invite a new host of legal problems for a regulator already saddled with plenty of those.
(We reached out to the DPC with questions about Meta's planned switch to LI but deputy commissioner, Graham Doyle, told us it's not commenting publicly at the moment -- saying Meta has until next week to send its compliance report in line with the decision it issued in January.)
Thirdly, unlike the GDPR, the ePrivacy Directive does not have a centralized enforcement mechanism -- meaning regulators across the EU are empowered to step in in their own markets if they suspect infringements. (Last summer, for instance, the Italian DPA warned TikTok against using LI -- citing the ePrivacy Directive; an intervention that appeared effective at snipping TikTok's plan in the bud.)
So if Meta makes this move it won't require a (long) wait see if the Irish DPC is going to do anything about it -- DPAs in EU Member States like Italy and France can act as quickly as they like, under ePrivacy, which gives them powers to issue dissuasive fines for any breaches they identify. (And France has been busy on that front where cookie breaches are concerned -- including with recent fines for Facebook dark patterns.)
While it remains to be seen whether Meta will buy itself more years, plural, to avoiding giving EU users an up-front say over whether it can violate their privacy rights or not, switching to LI does come with one hard immediate requirement: It will have to offer EU users a way to object to the processing. So this means there will finally be a route for EU users to opt out of its tracking and profiling -- which is a big win, in and of itself. If not still the full package privacy advocates have been fighting for.
In its blog post, Meta alludes only vaguely to this opt-out -- writing: "Relevant users will also be notified of this change, which will give them additional options around how we process certain information to serve behavioural advertisements."
According to the WSJ, which cites people familiar with Meta's planning, the tech giant will offer users in the bloc an opt out of "certain highly personalized ads" -- letting them choose a version of its services that target them with ads based on what the reporting calls "broad categories, such as their age range and general location" -- so, presumably, some form of contextual targeting -- without using tracking data such as what videos they watch or content they click on inside its apps.
Meta will only offer the opt-out to behavioral ads to users in the EU -- so users in the US will continue to not be offered any choice, per the newspaper.
The WSJ reports that users who wish to opt out of Meta's tracking and profiling-based behavioral advertising will have to submit a form objecting to its use of their in-app activity for ads -- which it specifies the company will evaluate prior to implementation.
If correct that detail also looks interesting, since -- under the GDPR -- the right to object to direct marketing is absolute and, as the ICO guidance notes, "you must stop processing when someone objects", so it's not clear what exactly there would be evaluate. (NB: Meta is also facing a class-action style lawsuit in the U.K. over this very point.)
With the tech giant set to be forced at long, long last -- kicking and screaming -- into giving EU users a bare-bones opt-out of its tracking it will be interesting to see how many users go ahead and demand their privacy back.
Where people are offered privacy a majority typically seize it -- such as, for example, iOS users denying third party tracking once Apple made it mandatory that apps on its platform ask people's permission to track them. Although a lot may hinge on how Meta presents the opt-out -- given its penchant for dark pattern design.
Still, choice to deny privacy abuse is coming. And for a surveillance giant like Meta there doesn't seem a way back from this kind of tipping point -- short of a total business model reform.